Closed Bug 758224 Opened 11 years ago Closed 11 years ago

bug in nsPluginStreamListenerPeer dtor, pushing nearly-invalid address to an outside reference

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: jaas, Assigned: jaas)

References

Details

Attachments

(1 file)

fix v1.0
880 bytes, patch
benjamin
: review+
akeybl
: approval-mozilla-aurora-
Details | Diff | Splinter Review
Attached patch fix v1.0Splinter Review 
294 nsPluginStreamListenerPeer::~nsPluginStreamListenerPeer()
295 {
296 #ifdef PLUGIN_LOGGING
297   PR_LOG(nsPluginLogging::gPluginLog, PLUGIN_LOG_NORMAL,
298          ("nsPluginStreamListenerPeer::dtor this=%p, url=%s\n",this, mURLSpec.get()));
299 #endif
300 
301   if (mPStreamListener) {
302     mPStreamListener->SetStreamListenerPeer(this);
303   }

We should be doing 'SetStreamListenerPeer(nsnull)', not setting it to 'this' from the dtor. Found this while writing another patch that exposes this bug via double-free.
Attachment #626807 - Flags: review?(benjamin)
Attachment #626807 - Flags: review?(benjamin) → review+
Blocks: 758227
Comment on attachment 626807 [details] [diff] [review]
fix v1.0

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 475991
User impact if declined: Possible cause of crashes.
Testing completed (on m-c, etc.): Should land on m-c today.
Risk to taking this patch (and alternatives if risky): Not risky.
String or UUID changes made by this patch: None
Attachment #626807 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/3a519ed51c90
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
(In reply to Josh Aas (Mozilla Corporation) from comment #2)
> Comment on attachment 626807 [details] [diff] [review]
> fix v1.0
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Bug 475991
> User impact if declined: Possible cause of crashes.
> Testing completed (on m-c, etc.): Should land on m-c today.
> Risk to taking this patch (and alternatives if risky): Not risky.
> String or UUID changes made by this patch: None

Do we have an idea of speculative volume of crashes this would fix? If thought to be low, I think this can ride the trains given how old the regressing Bug 475991 is.
(In reply to Alex Keybl [:akeybl] from comment #4)

> Do we have an idea of speculative volume of crashes this would fix? If
> thought to be low, I think this can ride the trains given how old the
> regressing Bug 475991 is.

I don't know for sure because it's not clear what the crash signature might be. I think the crash volume is probably low, possibly non-existent.

The patch is very low risk though, and it's the type of bug that concerns me quite a bit (promoting usage of a pointer to a deleted object).

The crash would probably happen here if it happened at all:

http://mxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsNPAPIPlugin.cpp#541
Comment on attachment 626807 [details] [diff] [review]
fix v1.0

[Triage Comment]
Let's let this ride the trains if it's unclear how much impact this patch will have.
Attachment #626807 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.